CVE-2025-18742

CriticalProof-of-Concept

Rockwell Allen-Bradley ControlLogix Authentication Bypass

CRITICAL INFRASTRUCTURE

9.4

CVSS v3.1 Base Score

Critical severity — Immediate action required

AV: Network AC: LowAuth: None

This authentication bypass in ControlLogix 5580 allows unauthenticated CIP command execution. While no active exploitation is confirmed, a functional proof-of-concept is publicly available. The impact is severe: an attacker can modify PLC logic, alter I/O states, or halt the controller. Given Rockwell's dominance in North American manufacturing, this CVE has wide exposure.

Status

Proof-of-Concept

Complexity

Low

Auth Required

Initial Access

Network-adjacent CIP connection (TCP/44818)

Known Techniques

CIP identity spoofing via malformed Forward Open request
Session handle prediction through sequential allocation bypass

Published:2025-01-22

Modified:2025-02-05

Vendor:Rockwell Automation

CWE:CWE-287

Improper Authentication

Risk Summary

Overall RiskCritical

ExploitationProof-of-Concept

DetectionMedium coverage

Detection Rate89%

Rules Available2

CVE-2025-18742

Rockwell Allen-Bradley ControlLogix Authentication Bypass

CVSS v3.1 Base Score

Executive Summary

Exploitation Context

Technical Vulnerability Breakdown

Full Description

Detection & Rule Intelligence (2 rules)

Rule Effectiveness & Testing Results

OT Risk Assessment

Mitigation & Response Guidance

Recommendations & Tuning Notes

Affected Products

References